Case StudiesManaged Detection and Response

Red Canary MDR sharpens the view from Microsoft Defender for Endpoint

After deploying Red Canary MDR for Microsoft + Defender for Endpoint, a privileged access management company struck the right balance between automation and eyes on glass.

Thycotic empowers more than 10,000 organizations around the globe, from small businesses to the Fortune 500, with a cybersecurity platform to control/secure access and permissions for users, processes and systems across their IT/enterprise environments.. They make enterprise-grade privilege management accessible for everyone by eliminating the need for complex security tools and prioritizing productivity, flexibility, and control.

Overhaul legacy security infrastructure to meet the shifting needs of a dynamic IT provider

Thycotic’s security teams were maxed out managing multiple security tools to monitor and provide robust, relevant detection and response. Their corporate environment consists of diverse endpoints and workstations of mostly Windows 10 and some Mac.

Thycotic turned to the Microsoft Defender security stack when faced with the need to conduct an organization-wide security overhaul replacing a legacy security infrastructure. The existing EDR, MDR, and antivirus tooling from multiple vendors was not integrated to work together seamlessly. The MDR solution itself generated 70-80% false positives, creating alert fatigue and a lot of unnecessary work for the security team.

Thycotic’s Chief Information Security and Privacy Officer Terence Jackson also realized that he needed the human element—eyes on glass—reviewing the raw data from Microsoft Defender for Endpoint to contextualize the information coming in and affecting the endpoints.

Eliminate false positives without sacrificing depth of coverage

Terence understood the necessity of endpoint security as a part of basic security hygiene. However, his multi-vendor security infrastructure was generating too many false positives, making it difficult to wade through them all and investigate the numbers.

He and his small team found it nearly impossible to validate or invalidate the alerts individually. They were spending hours upon hours investigating endpoint alerts, especially during the COVID-19 pandemic with everyone working from home on untrusted networks and conducting personal business on work computers.

A managed detection and remediation platform

Terence began looking for a managed detection and response vendor that had deep expertise with Microsoft Defender for Endpoint and could help them maximize their investment. He chose Red Canary after learning that the team had a rich history with Defender and that the two product teams were closely aligned.

Red Canary’s user-friendly portal makes analyzing confirmed threats simple. Thycotic’s SOC team can drill into the details as deeply as needed and generate executive reports instantly. Red Canary is now Thycotic’s first and second tier of endpoint analysis and remediation, only escalating issues that require his team to take action on the endpoint in a physical manner or on high-value assets.

Fewer, sharper alerts and better sleep at night

Since deploying Red Canary’s Microsoft Defender for Endpoint integration and managed detection and response solution, Terence’s team has reduced alert fatigue by 90 percent. While they used to see 55+ alerts daily, the SOC team now averages about one a week. As an added benefit, they achieved these outcomes without deploying any agents.

Terence says, “I sleep well at night now that we’re not getting a lot of false positives or escalations coming through for remediation. This has really been a set-it-and-almost-forget-it relationship.”


productivity increase


reduced alert fatigue


daily alerts to 1x per week